Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Google Reveals Windows Kernel Zero Day Under Attack

Google today disclosed the existence of a Windows zero-day vulnerability under attack. The flaw was reported to Microsoft 10 days ago; Microsoft says the disclosure puts users at risk.

A Windows zero-day vulnerability is being used in an unknown number of attacks, Google disclosed today, 10 days after it privately reported the issue to Microsoft.

Google’s disclosure follows its internal policy, which states that companies should fix or publicly report flaws that are under attack after seven days.

Microsoft has yet to issue an advisory—or patch—for the flaw, which Google says is a local privilege escalation vulnerability in the Windows kernel. The vulnerability can be used to escape the sandbox and execute code on the compromised machine. Microsoft said Google’s disclosure puts customers at risk.

“We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk. Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible,” a Microsoft spokesperson told Threatpost. “We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.”

A request for additional comment from Google was not answered in time for publication.

Google researchers Neel Mehta and Billy Leonard of the company’s Threat Analysis Group said they disclosed the vulnerability to Microsoft on Oct. 21, the same day Google also disclosed a separate code execution flaw in Flash Player to Adobe. Adobe rushed an emergency patch last Wednesday for CVE-2016-7855; it too was being used against organizations in targeted attacks. The Flash Player bug affected Windows 7, 8.1 and 10 systems, Adobe said.

Google shared few details on the bug, essentially sharing its existence with users and simultaneously putting pressure on Microsoft to rush a fix of its own. Google’s scant description of the bug:

“The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD.”

Google’s disclosure policy gives vendors 60 days to patch critical vulnerabilities, or notify users about the risk and any workarounds or temporary mitigations. The policy was published in 2013 and included the seven-day deadline on critical flaws under active exploitation.

“The reason for this special designation is that each day an actively exploited vulnerability remains undisclosed to the public and unpatched, more computers will be compromised,” Google said at the time. “Seven days is an aggressive timeline and may be too short for some vendors to update their products, but it should be enough time to publish advice about possible mitigations, such as temporarily disabling a service, restricting access, or contacting the vendor for more information.”

“We encourage users to verify that auto-updaters have already updated Flash — and to manually update if not — and to apply Windows patches from Microsoft when they become available for the Windows vulnerability,” Google said.

Discussion

If the "Sandbox" stops applications from making changes (confines the application,) How can there be a "local privilege escalation vulnerability in the Windows kernel" from the application that is in the sandbox to begin with?
Escalation is in permissions, how does the application vulnerability allow for "escape" from the sandbox to make changes to the kernel or permissions?

Not sure how Microsoft's refusal to issue a security patch in a timely fashion is Google's fault. Google is blowing the whistle to get Microsoft moving on a fix, after giving them several days to do so in private.
All this corporate BS about Microsoft being the only platform with a security commitment and so on. A commitment does not mean your system is secure, and clearly it doesn't mean you take reported threats seriously.
"Use Windows 10 and the Edge browser for the best protection."
No thanks. I'll keep Ubuntu and Firefox.

Where did you read of a "Microsoft refusal to issue a security patch"?
Everything I've read indicates that Microsoft has been working on a patch since Google's initial reporting to Microsoft. We can criticize Microsoft if that's not the case, but there is no benefit to demonize them for things that aren't true.

"use Windows 10 and the Microsoft Edge browser for the best protection" We should use the browser tied to the OS, less isolated from the vulnerability? I'd argue that this is exactly why we shouldn't use IE/Edge/Safari.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.